T23
Concurrent Class
10/3/2013 3:00:00 PM
"The Google Hacking Database:
A Key Resource to Exposing
Vulnerabilities"
Presented by:
Kiran Karnad
Mimos Berhad
Brought to you by:
340 Corporate Way, Suite 300, Orange Park, FL 32073
888-268-8770 ∙ 904-278-0524 ∙ sqeinfo@sqe.comwww.sqe.com
Kiran Karnad
MIMOS Berhad
After more than sixteen years in software testing and implementation, Kiran Karnad found his
true calling in penetration testing. Proudly calling himself a hands-on lead for information
security, Kiran has worked with several Fortune 500 companies and mentored software test
teams in multiple geographies. Currently leading the functional and security efforts at MIMOS,
Kiran strives to identify process improvement opportunities throughout the organization and to
implement them effectively.
9/19/2013
1
Product Quality and Reliability Engineering
Team
Kiran Karnad, MIMOS Bhd
A Key Resource to exposing vulnerabilities
The Google Hacking Database
9/19/2013
2
Disclaimer
Disclaimer
9/19/2013
3
Google & Bing Basics - OSINT
Basic, Phrase, Advanced Search
Whats Google Hacks All About?
Sample Hacks
Script for OS INT
Whats This All About?
In the Recent Past
If you are not hacked, you are not important!
9/19/2013
4
What all can be hacked
Network
Hardware hacking
Wireless
Social Engineering
Mobile
Lock Picking
Web hacking
What you don’t know might hurt…
OS INT
9/19/2013
5
OSINT Lets define
Intelligence collected
from public sources
Google
Social Engines
Details on next slide
OSINT
Communities
Government FBI, CBI etc
Military Defence Intel Agency
Homeland Security
Business Commercial,
Competitor INT, BI
Anonymous & LulzSec shodan,
GHDB
OSINT Some methods
9/19/2013
6
It’s what you expose
GOOGLE HACKING
How Google Works
9/19/2013
7
Basic Search
Phrase
Search
Advanced
Operators
Search Types Supported
The most used type of search
BASIC SEARCH
9/19/2013
8
So InSenSItiVe
5W 1H Google doesn’t mind
9/19/2013
9
Mark my Ten Words, thats it
The reason for the previous results…
9/19/2013
10
* Avoiding * 10-word limitation *
And I’m Always There
9/19/2013
11
Now, try this… +the * *
Search Types
General Search
Not cAsE seNSitiVE
No more than 10 keywords in a search
Google ignores “a”, 5w1h, this, to, we
AND is always implied
Date of birth of Hugh Jackman
Phrase Search
“Use quotes”
Use + to force a term and to exclude
No space follows these signs
See the SERPs for with and without
quotes
9/19/2013
12
“More shrewd searches”
PHRASE SEARCH
“Is there a difference?
9/19/2013
13
Force The Plus, Exclude The Minus
OR vs. AND
9/19/2013
14
OR | or
A quick Recap
Operators
Logical
OR case sensitive
Mathematical
+ (must) and (not) have special meaning
No Stemming
OK: “Its the end of the * as we know it
KO: “American Psycho*” – wont give psychology or
psychophysics
* represents a word, not the completion of a word
Period is a single character wild card
Lets try some
9/19/2013
15
Stop No More!
ADVANCED OPERATORS
Know Thy Web Page
9/19/2013
16
Intitle:
inurl:
Intext:
Inanchor:
9/19/2013
17
filetype:
Numrange:
Let’s try one query:
http://www.google.com/#q=100000000..999999999+filetype:sql
Advanced Operators = advanced queries
Operator:search_term no space
after and before the :
List of most used Advanced
operators
Intitle:
Inurl:
Intext:
Inanchor:
Filetype:
Continued…
9/19/2013
18
Advanced Operators contd…
Try a space between the operator
and the term and see the results
count
More Advanced Operators
Numrange:
Daterange:
Site:
Related:
Cache:
Link:
T1ll n0w, w3 534Rch3d…
Fr0m n0w, w3 H4ck
B451c
Phr453
0p3r4t0r5
9/19/2013
19
Intitle:index.of server.at
So What?
What can a hacker do with this info?
Go to http://www.cvedetails.com
Check vulnerabilities for Apache 2.2.16
Trigger Metasploit
9/19/2013
20
Intitle:index.of server.at site:aol.com
Linux server installer files are obtained
Files on AOL
server.
Files on MIT
server.
Hyped Music
Query is: Intitle:index.of name size
Check out the site hypem.com in SERPS
Try directory traversal
from any page, you can
download tons of music!
Their business is selling
music online!
9/19/2013
21
Directory
Listings
Show server
version
information
Useful for
an attacker
intitle:index.of server.at
intitle:index.of server.at site:aol.com
Finding
Directory
Listings
intitle:index.of "parent directory"
intitle:index.of name size
Our Learning Till Now…
Piracy MP3s
Intitle:index.of mp3 jackson AND iso kaspersky
Remember, Google stems!
9/19/2013
22
Piracy MP3s
Intitle:index.of mp3 jackson
Yields 20+ pages of songs in mp3 format
No need to wait for website instructions!
Remember, Google stems!
Intitle:index.of iso kaspersky
Gets the AV installers from various websites
Most of them with professional key or cracks
Even beta versions are available
More Piracy ISO
Inurl:microsoft intitle:index.of filetype:iso
Get MS ISO files from everywhere!
9/19/2013
23
Johnnys Disclaimer
Listing all the index pages…
Each of these pages can be hacked since the
hacker knows the version and type for the
App Server, Database & the Web Server
9/19/2013
24
Listing all the subdomains
HR Intranet with details on…
inurl:intranet intitle:intranet +intext:"human resources"
Some details a hacker
gets from here:
HR Forms and
Policies
New Staff Info
Consultation
Health Benefits
Salary packaging
Contact Person
Office and
Meeting Room
Layout
Emails and Phones
Training
Pay Calculation
9/19/2013
25
PuTTY SSH Logs with juicy info
Usernames and Passwords
Results here: d:\official\white papers\starwest2013\uname-pwd.xls
And uname-pwd2.xls
9/19/2013
26
SQL Injectable Websites
The first query brought
38K results
Just by reordering, we got
3.3 Mil in lesser time!
Each of these can be
hacked with SQLI and all
these are just PHP!
Our Learning Till Now…
Combining
operators
does the
magic
Inurl:microsoft.com inurl:www.microsoft.com
Inurl:intranet intitle:intranet +intext:”human resource”
Filetype:log username putty
inurl:admin intext:username= AND email= AND
password= OR pass= filetype:xls
intitle:index.of inurl:admin
Filetype:php inurl:id=“
9/19/2013
27
Database Querying
This also enumerates all
the tables via the SQL
So you know the
connection details, IP and
the tables!
Query to get mySQL
connection details
Login, Password, Website All in One!
The Query: filetype:xls "username | password“
Number of results: 46500
One of the results on page 1:
http://teachersites.schoolworld.com/.../files/teachers%20passwords.xls
9/19/2013
28
Login, Password, Website All in One!
The Query: filetype:xls "username | password“
Number of results: 46500
One of the results on page 1:
http://teachersites.schoolworld.com/.../files/teachers%20passwords.xls
A Quick Q
inurl:"passes" OR inurl:"passwords" OR inurl:"credentials" -search -
download -techsupt -git -games -gz -bypass -exe filetype:txt @yahoo.com
OR @gmail OR @hotmail OR @rediff
What do you think this query does?
9/19/2013
29
Our Learning Till Now…
filetype:phps mysql_connect
filetype:xls "username | password“
inurl:"passes" OR inurl:"passwords" OR inurl:"credentials" -
search -download -techsupt -git -games -gz -bypass -exe
filetype:txt @yahoo.com OR @gmail OR @hotmail OR
@rediff
Let’s dig in some more!
NOT BORED YET?
9/19/2013
30
Which sites have been hacked?
inurl:”r00t.php”
All hacked sites have a r00t.php
The Logs might help
Checking hacked website logs for more info
allintext:”fs-admin.php
9/19/2013
31
Must Tries
Hacked websites inurl:”r00t.php”
Hacked logs allintext:”fs-admin.php
Finding login for portals intitle:admin intitle:login
SSH usernames filetype:log username putty
Getting user list Inurl:admin inurl:userlist
Passwords! filetype:pass pass intext:userid
SQL Passwords filetype:sql password
Usernames inurl:admin filetype:xls
Passwords inurl:password filetype:xls
More!! inurl:passwd filetype:xls (pdf, doc, mdb)
More Stuff!
intitle:"Index of" passwords modified
allinurl:auth_user_file.txt
"access denied for user" "using password“
"A syntax error has occurred" filetype:ihtml
allinurl: admin mdb
"ORA-00921: unexpected end of SQL command“
inurl:passlist.txt
"Index of /backup“
"Chatologica MetaSearch" "stack tracking:"
9/19/2013
32
Listings of what you want
Change
the word
after the
parent
directory
to what
you
want
"parent directory " DVDRip -xxx -html -htm -php -shtml
opendivx -md5 -md5sums
"parent directory "Xvid -xxx -html -htm -php -shtml
opendivx -md5 -md5sums
"parent directory " Gamez -xxx -html -htm -php -shtml
opendivx -md5 -md5sums
"parent directory " MP3 -xxx -html -htm -php -shtml
opendivx -md5 -md5sums
"parent directory " Name of Singer or album” -xxx html htm -php -shtml -opendivx -
md5 -md5sums
CGI Scanner
Google can be used as
a CGI scanner.
The index.of or inurl
searchs are good tools
to find vulnerable
targets. For example, a
Google search for this:
allinurl:/random_banner/index.cgi
Hurray! There are only
four two now… the
broken
random_banner
program will cough up
any file on that web
server, including the
password file…
9/19/2013
33
Passwords
"# -FrontPage-" inurl:service.pwd
FrontPage passwords.. very nice
clean search
results listing !!
"AutoCreate=TRUE password=*"
This searches the password for
"Website Access Analyzer", a
Japanese software that creates
web statistics. For those who can
read Japanese, check out the
author's site at:
http://www.coara.or.jp/~passy/
"http://*:*@www" domainname
This is a query to get inline
passwords from search engines
(not just Google), you must type
in the query followed with the
domain name without the .com
or .net
"http://*:*@www" gamespy or http://*:*@wwwgamespy
Another way is by just typing
"http://bob:bob@www"
More Passwords IRC and Access
"sets mode: +k"
This search reveals channel
keys (passwords) on IRC as
revealed from IRC chat
logs.
eggdrop filetype:user user
These are eggdrop config
files. Avoiding a fullblown
discussion about eggdrops
and IRC bots, suffice it to
say that this file contains
usernames and passwords
for IRC users.
allinurl: admin mdb
Not all of these pages are
administrator's access
databases containing
usernames, passwords and
other sensitive
information, but many are!
9/19/2013
34
MySQL Passwords & ETC directory
intitle:"Index of" config.php
This search brings up sites with
"config.php" files. To skip the
technical discussion, this
configuration file contains both a
username and a password for an
SQL database. Most sites with
forums run a PHP message base.
This file gives you the keys to that
forum, including FULL ADMIN
access to the database.
intitle:index.of.etc
This search gets you access to the
etc directory, where many, many,
many types of password files can
be found. This link is not as
reliable, but crawling etc
directories can be really fun!
Passwords in backup files
filetype:bak
inurl:"htaccess|passwd|shadow|htusers"
This will search for backup files (*.bak) created by
some editors or even by the administrator himself
(before activating a new version). Every attacker
knows that changing the extension of a file on a
web server can have ugly consequences.
9/19/2013
35
Serial Numbers
Let's pretend you need a serial number for Windows XP Pro.
In the Google search bar type in just like this - "Windows XP Professional"
94FBR the key is the 94FBR code.. it was included with many MS Office
registration codes so this will help you dramatically reduce the amount of
'fake' sites (usually pornography) that trick you. Or if you want to find the
serial for WinZip 8.1 -
"WinZip 8.1" 94FBR
Credit Cards!!
Number
Ranges to
find Credit
Card, SSN,
Account
Numbers
Numbers
Amex: (15 digits)
300000000000000..399999999999999
MC: (16 digits)
5178000000000000..5178999999999999
4356000000000000..4356999999999999
Visa : (16 digits)
9/19/2013
36
Working Samples!
Credit-Cards-Pastebin.txt
Some More Working Samples…
9/19/2013
37
CC TV Control
The first query produced
3000+ results!
Let’s click on one of
the SERPS
You can control
the camera
Pan, scan, tilt & zoom
Many more queries possible for CCTV
inurl:LvAppl intitle:liveapplet
inurl:"viewerframe?mode=motion"
intitle:"Live View / - AXIS"
intitle:"snc-rz30 home"
inurl:indexFrame.shtml "Axis Video Server“
So where is the database?
http://www.exploit-db.com/google-dorks/
9/19/2013
38
So, how do I secure myself?
OK, I’M CONVINCED
Securing ourselves from Google Hackers
9/19/2013
39
To Inspire You To Be A Security Tester
SOME ADDITIONAL INFO
BHDB
9/19/2013
40
How Vulnerability Scanners work
Scanner Limitations
If the DB doesn’t have it, it won’t detect it – purely signature based
Authentication by scanner is not trust-worthy
Lacks IDS detection bypass
No realistic fuzzing possible
Cant replace manual SQL Injection
No intelligence in detecting attack vectors and surfaces
Working with custom apps is a limitation
Can identify points of weakness but can’t anticipate complex attack schemes
Cant handle asynchronous & offline attack vectors
Limitations should be clearly understood
Can’t detect logic flaws, weak cryptographic functions, information leakage etc
9/19/2013
41
So, who are these hackers?
WHERE DO ACTUAL
HACKS COME FROM
Real-life hacker categories
9/19/2013
42
Top Simple Security Searches that Work!
THE TAKE-AWAY
Queries
Combine searches with “site:” operator
Intitle:index.of Leads to a direct hack
intitle:intranet | help.desk
Filetype:xls username OR password
Inurl:admin inurl:userlist
9/19/2013
43
More Queries…
Inurl:admin OR inurl:password filetype:xls (csv)
Inurl:lvappl Live Applet site:*.*
inurl:intranet intitle:intranet +intext:"human resources"
Filetype:log username putty
So where is the GH “database”?
Top Ten Searches PDF (http://tinyurl.com/starwestghdb2013)
Automating the Google Searches
AUTOMATION
9/19/2013
44
Search API OS Script
Google Web Search API Wsdl deprecated
Now Custom Search APIs used
Google controls the use: https://developers.google.com/web-search/terms
Open source script: http://pastebin.com/uE5wJWMy
1. Download the script 2. Rename as .JS 3. Create data file 4. Call in any HTML
http://www.exploit-db.com/google-dorks/
Tools within OS Systems
Open Source penetration testing platforms such as
Backtrack and Kali support tools for Google hacking. They
are:
Exploit-DB
Searchsploit
Goodork
Websploit
Social Engineering Toolkit
Burp Suite (decoder)
9/19/2013
45
So…
About the Presenter
9/19/2013
46